33 replies to this topic

[herman2k]

Hi,
Win32 files don´t need the dos header from an executable.

My question: "how i can does del the dos header from any exefile that still executable" ?



regards,
herman2k

[kbnet]

You want to actually remove it so it reads MZPE? There is a packer which does MZ<imports> (will have to find out the name for you cant remember which one it was). Doing it manually is an extremely difficult task because obviously the offsets will be seriously messed up.

[herman2k]

Hi kbnet,
I thinks u mean the packer Expressor.
When i cut/del the dos header, i believes i must reloc the offsets
but how i do that ?

regards,
herman2k

[kbnet]

OK, well you can cut the MZ header only so far (roughly have of the typical MZ header and the stub). The reason you can cut the whole thing out is because the MZ header contains a pointer (at 3Ch) to the PE header, so if you remove all of the MZ header so that the file reads MZPE the actually pointer to the PE header will actually be inside the PE header and the field it will be pointing to will be the imagebase in the PE header so if you do change that value to point to the PE header then you have just screwed the imagebase so the file will be corrupt. What i would recommend is cutting the bytes between the pointer to the PE header and upto the actual PE header tag. Any bytes you remove must be then placed AFTER the section table so all the offsets are corrected.

When i get a spare 15 mins I will try and put a video together for you unless you understand that all ok?

[herman2k]

That would be great when u make for me a video

Here i´ve attached some examples

With dos-header:


Without dos-header:



but i think, u know what i mean!


best regards,
herman2k

[kbnet]

So have you got it working now? At first glance it looks ok, your pointer to the PE header seems fine. Did you pad it out (insert some bytes) after the section table so the offsets are corrected? Thinking about it you should be able to store the pointer to the PE header in the Major/Minor link version field of the PE header, thats probably the best your gona be able to get.

EDIT: Just out of interest what are you trying to achieve?

Cheers

[herman2k]

Hey bro, the files was created with the packer expressor

File1 :Only packed (with dos-header)
File2 : packed and cut dos-header

I need still u video


Cya

[kbnet]

OK, will try and get round to making the video for you this week.

[herman2k]

very good, i´m waiting

[kbnet]

do u understand the explanation though? If you do you really should have no problem doing it manually. (it will just save me making a video). Have you given it a go?

[herman2k]

I can´t do it manually, i need u help!

I´ve Olldbg & Hview...

[kbnet]

What do you need ollydbg for? You just need a decent hex editor like Hex Workshop. I will *try* and get the video done 2nite bud. Why are you so desperate to learn how to do this though? If your thinking it will make malware undetected it wont.

[herman2k]

Of course i´m not thinking its make malware undetected

[linux_dude]

So what was the point of doing this?

[herman2k]

More knowlege about the PE format!